[Info-vax] VMS internals design, was: Re: BASIC and AST routines
Andrew Commons
andrew.commons at bigpond.com
Sat Nov 27 00:46:14 EST 2021
I've been watching this thread with a mixture of amusement and horror. The
triggering thread regarding AST routines was equally enlightening. In
fact if I ever feel the urge to start a thread here I will probably make
the subject line something like this:
<My Topic>, was: Re: Something Simon Clubley felt strongly about
Purely curiosity to see if it stopped forking :)
So, for Simon...
>> One of the biggest mistakes made is that DEC went to the trouble of
>> implementing a 4-mode architecture and then completely blew how it was
>> used.
Well, a bit like Intel implementing a 4-mode architecture and then having
Microsoft completely blow how it is used?
Note that the OS/2 update that Cutler and Co were originally hired to work
on used 3 of the modes. When Windows looked like becoming a success then
it switched to a Windows upgrade instead. Gates wanted it to run on
consumer hardware, so things got dropped. There are still 4 modes available
and I'm sure VSI are using them.
>> That 4-mode architecture could have provided some really truly radical
>> internal security separation within VMS, but once you are in any of the
>> 3 inner modes, you can get to any of the other inner modes so all those
>> extra modes were wasted from a security isolation point of view.
Put your money where your mouth is. Prove it. Post examples that show a
fundamental flaw rather than an Ooops in a single privileged program.
>> In case you are wondering, you can escalate from supervisor mode because
>> DCL has access to the privileges of the programs it runs even though it
>> doesn't actually need them. That kind of thing should have stayed within
>> the kernel so DCL never sees those privileges.
If this was such a huge fundamental problem I would expect masses of
vulnerability reports. Where are they? Post examples.
When a program runs in a privileged context then those writing the program
obviously need to exercise care. Ideally you enable/disable privileges
in a Just In Time basis and, obviously, when you are operating in a mode
higher than the originating mode any inputs from the lower mode must be
treated with caution. Failing to do this on one occasion does not invalidate
the security model.
I will now scrub my cookies and history back to bedrock which I recommend
after logging in to anything Google related.
More information about the Info-vax
mailing list